<html>
<head><meta charset="utf-8"><title>patched = [&quot;x.y.z&quot;] without operators · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/patched.20.3D.20.5B.22x.2Ey.2Ez.22.5D.20without.20operators.html">patched = [&quot;x.y.z&quot;] without operators</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="244639837"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/patched%20%3D%20%5B%22x.y.z%22%5D%20without%20operators/near/244639837" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/patched.20.3D.20.5B.22x.2Ey.2Ez.22.5D.20without.20operators.html#244639837">(Jul 01 2021 at 23:28)</a>:</h4>
<p>We have an advisory that does not declare any operators on patched versions: <a href="https://github.com/RustSec/advisory-db/blob/main/crates/stackvector/RUSTSEC-2021-0048.md"><code>RUSTSEC-2021-0048</code></a>. It lists <code>patched = ["1.0.9"]</code><br>
Under both the old and the new version matching logic this means "anything semver-compatible with <code>1.0.9</code>", so 2.0 and onwards will be reported as vulnerable.<br>
I suppose I should just patch this particular advisory to list <code>&gt;= 1.0.9</code>, but what should we do in such cases going forward?<br>
The options that occur to me are either treating it as an implicit <code>&gt;=</code> or prohibiting this kind of ambiguous specification. Thoughts?</p>



<a name="244640604"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/patched%20%3D%20%5B%22x.y.z%22%5D%20without%20operators/near/244640604" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/patched.20.3D.20.5B.22x.2Ey.2Ez.22.5D.20without.20operators.html#244640604">(Jul 01 2021 at 23:37)</a>:</h4>
<p>prohibiting seems right to me (but I have no expertise in this area so take it with a grain of salt)</p>



<a name="244640816"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/patched%20%3D%20%5B%22x.y.z%22%5D%20without%20operators/near/244640816" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/patched.20.3D.20.5B.22x.2Ey.2Ez.22.5D.20without.20operators.html#244640816">(Jul 01 2021 at 23:40)</a>:</h4>
<p>I've fixed up the affected advisory in the meanwhile: <a href="https://github.com/RustSec/advisory-db/pull/945">https://github.com/RustSec/advisory-db/pull/945</a></p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>